Hack The Box: Fuse

October 31, 2020
| No Comments

Jump Ahead: EnumUserRootSpecial ThanksResources

TL;DR;

To solve this machine, we begin by enumerating open services. Doing so, we learn that the machine exposes a lot of ports – mostly associated with an Active Directory server, as well as a web server. Going to the web server redirects us to a vhost, which we add to /etc/hosts. Browsing to the vhost gives us usernames for the domain. Using cewl, we generate a password list, and use hydra to bruteforce credentials. We get 2 set of credentials, however, are unable to use them due to force password reset being enabled for the accounts. Changing bhult‘s password, we gain access to the DC via RPC, where we find credentials for the svc-print account. Using WinRM to connect to the machine as svc-print, we gain access to user.txt. Starting initial enumeration, we learn the svc-print account has the SeLoadDriverPrivilege privilege enabled. Using this to load a vulnerable driver, we are able to exploit it to get NT Authority\System access and read root.txt.

Enumeration

Like all machines, we begin by enumerating all exposed services. Doing so returns 20 open ports. We observe that the majority of the ports suggest that this is an Active Directory (AD) Domain Controller (DC).

$ nmap -v -p- --min-rate 3000 $RHOST
$ nmap -A -oA scans/nmap/tcp-scripts -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49669,49670,49672,49690,49752 $RHOST
# Nmap 7.80 scan initiated Sat Jun 20 22:25:41 2020 as: nmap -A -oA scans/nmap/tcp-scripts -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49666,49667,49669,49670,49672,49690,49752 10.10.10.193
Nmap scan report for fuse.fabricorp.local (10.10.10.193)
Host is up (0.053s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http         Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-21 03:43:14Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49672/tcp open  msrpc        Microsoft Windows RPC
49690/tcp open  msrpc        Microsoft Windows RPC
49752/tcp open  msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEED340%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h37m28s, deviation: 4h02m32s, median: 17m26s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2020-06-20T20:45:36-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-21T03:45:33
|_  start_date: 2020-06-21T03:12:53

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jun 20 22:30:44 2020 -- 1 IP address (1 host up) scanned in 303.65 seconds

From the nmap script scans, we learn the domain is fabricorp.local, and the machine’s name is fuse. Going to the web server on port 80, we are redirected to the subdomain fuse.fabricorp.local, which we add to our /etc/hosts file for further enumeration. Anonymous authentication on SMB is allowed, however, no shares are exposed. Anonymous authentication via RPC is also enabled, however, nearly every command we run returns permission denied. Lastly, in initial enumeration, we check LDAP for information, however, do not find anything that is too helpful.

$ ldapsearch -h $RHOST -s base -x

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
currentTime: 20200621153421.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=fabricorp,DC=loc
 al
dsServiceName: CN=NTDS Settings,CN=FUSE,CN=Servers,CN=Default-First-Site-Name,
 CN=Sites,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=fabricorp,DC=local
namingContexts: CN=Configuration,DC=fabricorp,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=DomainDnsZones,DC=fabricorp,DC=local
namingContexts: DC=ForestDnsZones,DC=fabricorp,DC=local
defaultNamingContext: DC=fabricorp,DC=local
schemaNamingContext: CN=Schema,CN=Configuration,DC=fabricorp,DC=local
configurationNamingContext: CN=Configuration,DC=fabricorp,DC=local
rootDomainNamingContext: DC=fabricorp,DC=local
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
highestCommittedUSN: 109549
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: Fuse.fabricorp.local
ldapServiceName: fabricorp.local:fuse$@FABRICORP.LOCAL
serverName: CN=FUSE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
 ation,DC=fabricorp,DC=local
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Getting User

Having put the discovered vHost into our /etc/hosts file, we go to http://10.10.10.193 which redirects us to http://fuse.fabricorp.local/papercut/logs/html/index.htm. Looking around the page, we see that the application is “Papercut Print Logger”, which is an application to view print jobs. Clicking the links to the different print jobs, we are able to pillage domain usernames.

Getting redirected to the PaperCut print logger and finding potential usernames

Next, we can use cewl to generate a password list for easy brute forcing with hydra. Doing so, we find 2 sets of valid credentials.

$ cewl -d 5 --with-numbers http://fuse.fabricorp.local/papercut/logs/html/index.htm >potential-passwords.txt
$ hydra smb://$RHOST -L usernames.txt  -P potential-passwords.txt -m "other_domain:fabricorp"
Bruteforcing account credentials

Using Impacket’s smbclient.py, we can attempt to use the credentials to list the exported SMB shares. Doing so, we get an error message stating the credentials are valid, however, we need to change the passwords prior to logging into the machine. To change the passwords, we can use smbpasswd. When trying to change the password, we notice there is a password policy in place. In addition, the password gets reset every few seconds or so, and cannot be changed to a previously used password.

Checking the credentials, then changing the credentials

After successfully changing the password (and realizing the constant reset and policy), we decide to swap to rpcclient for enumeration, as it maintains a persistent connection. While enumerating RPC, we learn there is a svc-print account, which leads us to invoke the enumprinters command. Having done so, we find a password, which we assume is for the svc-print account. As a quick check, we attempt to use smbmap to check them – which shows they are valid.

Finding new credentials via RPC and checking them with smbmap

Since we know that the credentials are valid, and WinRM is running on the machine, we can use evil-winrm to gain shell access to the machine. Once we are on the machine, we find user.txt on svc-print‘s Desktop.

$ evil-winrm  -i $RHOST -u svc-print -p 'password
PS > cd C:\Users\svc-print\Desktop
PS > cat user.txt
Logging in via WinRM and getting user.txt

Getting Root

Having gotten access on the machine, we begin our local enumeration by first checking out everything about our user by running whoami /all. Doing so, we see that we have the SeLoadDriverPrivilege privilege, which means that we have the ability to load system drivers.

Checking our privileges

Doing a little research, we learn that loading the Capcom.sys driver will allow us to execute command as the kernel. Following this guide, we upload the Capcom.sys driver to the machine via WinRM. Next, we generate a Meterpreter reverse shell as our payload, and download the mentioned driver loader and exploiter programs. We modify the code with the path to the Capcom driver, as well as the path to the reverse shell. We build the projects, then upload them to the remote server. *You will have better lucky if you use absolute paths* Lastly, we start our reverse listener, then execute the driver loader, followed by the exploiter. We should now have a reverse shell as NT Authority\System, and can now read root.txt.

Getting a reverse shell as NT Authority\System, and reading the root flag

Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!

Resources

Special Thanks

As I am pretty nooby when it comes to Active Directory/Windows, I would like to extend a special thank you to the following individual for going above and beyond to explain concepts to me rather than just telling me what to look at.

Hack The Box Write-ups
| Tags: ,